Forum Discussion
Alexander_01_13
Nimbostratus
NimbostratusProblem with Kerberos in iApp for Exchange 2013
Hey,
I have set up an iApp for Exchange 2013 (f5.microsoft_exchange_2010_2013_cas.v1.3.0) on BIGIP 11.4.1.
Now, Autodiscover won't work and to me it looks like some kerberos problem.
I have reviewed the config following https://devcentral.f5.com/articles/apm-cookbook-single-sign-on-sso-using-kerberos, but instead of
fetched S4U2Self ticket for user: test.user@F5.DEMOMay 26 17:52:10 F5BIGIP03 info websso.1[13873]: 014d0011:6: 1c8813d7: Websso Kerberos authentication for user 'testuser' using config '/PTA_Gruppe/PTAexchange.app/exchange_ntlm_kerberos_sso'
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0046:7: 1c8813d7: adding item to WorkQueue
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0018:7: sid:1c8813d7 ctx:0x8f9e528 server address = ::ffff:172.17.27.192
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0021:7: sid:1c8813d7 ctx:0x8f9e528 SPN = HTTP/exmbx01.domain.com@DOMAIN.COM
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0023:7: S4U ======> ctx: 1c8813d7, sid: 0x8f9e528, user: testuser@DOMAIN.COM, SPN: HTTP/exmbx01.domain.com@DOMAIN.COM
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: Getting UCC:testuser@DOMAIN.COM@DOMAIN.COM, lifetime:36000
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: fetched new TGT, total active TGTs:1
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: TGT: client=host/bigip_ntlmuser@DOMAIN.COM server=krbtgt/DOMAIN.COM@DOMAIN.COM expiration=Tue May 27 03:52:10 2014 flags=40600000
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: TGT expires:1401155530 CC count:0
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: Initialized UCC:testuser@DOMAIN.COM@DOMAIN.COM, lifetime:36000 kcc:0x9054ae8
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: testuser@DOMAIN.COM server: HTTP/exmbx01.domain.com@DOMAIN.COM - trying to fetch
May 26 17:52:10 F5BIGIP03 debug websso.1[13873]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: testuser@DOMAIN.COM - trying to fetch
May 26 17:52:10 F5BIGIP03 err websso.1[13873]: 014d0005:3: Kerberos: can't get S4U2Self ticket for user testuser@DOMAIN.COM - Server not found in Kerberos database (-1765328377)
May 26 17:52:10 F5BIGIP03 err websso.1[13873]: 014d0024:3: 1c8813d7: Kerberos: Failed to get ticket for user testuser@DOMAIN.COM
I suppose that I have committed some really simple error. Can anyone give me a hint where I have to look?
Thank you!
Regards, Alex
kunjanTGT: client=host/bigip_ntlmuser@DOMAIN.COM
The AD account you've created, is it with account name "host/bigip_ntlmuser" with host in it?
Alexander_01_13yes, it is.
kunjan_118660Cumulonimbus
TGT: client=host/bigip_ntlmuser@DOMAIN.COM
The AD account you've created, is it with account name "host/bigip_ntlmuser" with host in it?
- Alexander_01_13yes, it is.
- kunjan
For KDC configured for the kerberos SSO, can you try to hard code the IP of the KDC?
- Alexander_01_13Yes. I can, but the error message stays the same. I also have assured that the KDC is available to the BIGIP.
- kunjan_118660
For KDC configured for the kerberos SSO, can you try to hard code the IP of the KDC?
- Alexander_01_13Yes. I can, but the error message stays the same. I also have assured that the KDC is available to the BIGIP.
Hi Alexander, I assume that "exmbx01" the name of your client access server (it looks like the name of a mailbox server). Is that correct?
thanks
Mike